This is a very common use case where we need to enable SSO between Oracle Fusion and PaaS IDCS.
We generally have a company SSO provider like Onelogin, Okta etc(We will see this in different Post to enable IDCS with third party SSO provider) .
In this post we will see how we can create SSO between Fusion SaaS and IDCS.
We may need this for embedding VBCS pages in SaaS pages(This is separate from adding VBCS link in Fusion) or having all Oracle application authentication from a single IDP.
One of the use case will be , we have created a VBCS page and we want to embed this page in Fusion standard page(in X-frame)
We can follow below steps to achieve the same:
Note:
We need to have below roles to perform the steps:
1). Fusion Applictaion-> It Security Manager (ORA_FND_IT_SECURITY_MANAGER_JOB)
2). IDCS: Application Administrator roles and User Administrator
3). Fusion Application : Admin user to enable the IDP and SSO(this will be the last step)
This post is for enabling SSO for Fusion Release13.
There are 3 parts to for the SSO enablement.
- Fusion Application Setups
- IDCS Setups
- Testing and enabling SSO
Since we are making IDCS as our IDP so we need to download the IDCS metadata file:
Sign in to the Oracle Identity Cloud Service console as an administrator.
In the web browser address bar enter the following URL to access the metadata:
https://<IDCS-Tenant-Instance>.identity.oraclecloud.com/fed/v1/metadata, where\<IDCS-Tenant-Instance\>is the tenant name of your Oracle Identity Cloud Service instance.Save the XML content of your web browser to a file on your desktop with the name like
idp_metadata.xml.if we try the point 2 without logging in then we might get error, the reason could be that access signing certificate without logging might not be enabled.
Below screenshot is for the same:
The Metadata XML would look like below:
Fusion Application Setups
Now we will create the IDCS as IDP in Fusion application.
For this login to your fusion application having the role mentioned in the beginning.
Go to navigator-> Tools, click Security Console
Click on Single Sign-On on the left menu and in the Single Sign-On page, click Create Identity Provider.
In the Single Sign-On Configuration: Identity Provider Details page, click Edit.
Provide the details as below and in the Import Identity Provider Metadata section, click Browse, browse to the Identity Provider metadata file on your desktop which you had downloaded in the beginning, and then click Open.
Parameter Value Name The name of the identity provider can't contain spaces or special characters, For example, OracleIdentityCloudService Name ID Format Unspecified Default Identity Provider Selected Enable Chooser Login Page You select this field so that the Oracle Fusion Applications Cloud Service administrator (local user) can access Oracle Applications Cloud console. Once you have a user created in Oracle Identity Cloud Service which synchronizes with the Oracle Fusion Applications Cloud Service administrator account, then you can deselect Enable Chooser Login Page
Also Provide a signout url(where it should go if we logout from application).Click Save and Close
In the Single Sign-On Configuration: Identity Provider Details page, click Service Provider Details, click the download icon for the Service Provider SHA 256 Metadata URL, and then save the file on your local desktop with the name like
fa_sha256_metadata.xml.
Open the the file downloaded in previous step
fa_sha256_metadata.xml, locate the <dsig:X509Certificate> tag under <md:KeyDescriptor use="signing">, and then copy the value between <dsig:X509Certificate> and </dsig:X509Certificate>.The value to be copied will be like below highlighted in yellow:
<dsig:X509Certificate> abcd1234EFGH5678ijklj0= </dsig:X509Certificate>
Create a new .pem file and paste the certificate text like below and save the file with any name. For examplefa_cert.pem
Now Open the
same fa_sha256_metadata.xmlfile and locate the following and make a note of the following value.Refer the screenshots attached for each.- entityID
- Assertion Consumer URL
- Single Logout URL
- Logout Response URL
- entityID attribute in the
<md:EntityDescriptortag, and make note of the value.
For example, if the
fa_sha256_metadata.xmlfile contains:<?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:enc="http://www.w3.org/2001/04/xmlenc#" ... entityID="https://eeho.login.us2.oraclecloud.com:443/oam/fed" validUntil="2029-07-23T06:24:39Z">Refer below screenshot
The value will be like below:
Assertion Consumer URL
For this find the Location attribute in <md:AssertionConsumerService under the <md:SPSSODescriptor element from the element that has <md:Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"It will be like below:
https://xxxx-dev3.login.us6.oraclecloud.com/oam/server/fed/sp/sso
Single Logout URL
For this find Location attribute in the <md:SingleLogoutService element under the <md:SPSSODescriptor element.
Make a note of the value from the element that has <md:Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".It will be like below:
https://xxxx-dev3.login.us6.oraclecloud.com/oamfed/sp/samlv20
Logout Response URL
For this get the value of <md:ResponseLocation attribute in the <md:SingleLogoutService element under the <md:SPSSODescriptor element.
from the element that has <md:Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".It will be like below: https://xxxx-dev3.login.us6.oraclecloud.com/oamfed/sp/samlv20 
We would need landing page URLs of Fusion CRM, ERP,HCM etc.
Alternatively we can use Fusion home page url as common for all Landing URLs and then after logging in to Fusion we can navigate to respective modules.
The Fusion home page which we will be using will be like below:
Fusion Application Homepage URL:
https://xxxx-dev3.fa.us6.oraclecloud.com/fscmUI/faces/AtkHomePageWelcome
At this point we are done with the initial setups from Fusion application side.
Now we need to do configurations in PaaS IDCS.
IDCS Setups
A new window appears, select App Catalog.
Now we will search for and then click on Add
In the Details tab, update the name of the application as per your Oracle Fusion Applications Cloud Service environment's name. For example, XXXX Dev3 FA
By default, all Oracle Fusion Applications apps are selected (CRM, ERP, HCM, and SCM). Uncheck the apps that aren't required, and then click Next. Here we have checked ERP
For the Application URL / Relay State eneter the "Assertion Consumer URL" which we obtained in Fusion application setup task.
The value will be like:
https://xxxx-dev3.login.us6.oraclecloud.com/oam/server/fed/sp/sso
For each app specific landing page URL(Here it is ERP for us), we will use the Fusion application homepage URL which we noted at the last step in Fusion application setup tasks.
The value will be like:
https://xxxx-dev3.fa.us6.oraclecloud.com/fscmUI/faces/AtkHomePageWelcome
Refer the below screenshot:
Click Next and Now in the SSO configuration tab enter the Entity Id that we noted in Fusion Application setup task.
The value will be like below:
https://xxxx-dev3.login.us6.oraclecloud.com:443/oam/fed
For Assertion Consumer URL, eneter the "Assertion Consumer URL" which we obtained in Fusion application setup task.
The value will be like below:
https://xxxx-dev3.login.us6.oraclecloud.com/oam/server/fed/sp/sso
Expand Advanced Settings and enter the following:
For the Single Logout URL eneter the Single Logout URL we noted in Fusion application setup task.
The value will be like below:
https://xxxx-dev3.login.us6.oraclecloud.com/oamfed/sp/samlv20
For the Logout Response URL eneter the Logout Response URL we noted in Fusion application setup task.
The value will be like below:
https://xxxx-dev3.login.us6.oraclecloud.com/oamfed/sp/samlv20
Optionally, in the Authentication and Authorization section, select the Enforce Grants as Authorization check box. When enabled, Oracle Identity Cloud Service performs a validation on the user authorization status for the application. Only users assigned to this application in Oracle Identity Cloud Service can access the application.
Note:
This (Enforce Grants as Authorization check box) is not mandatory , here we want to verify the validation on users so we have checked it.
We can leave it unchecked if we do not want IDCS to perform validations on user authorization status.
Refer the below screenshot for entering the above values:
Click Next and then Finish
Click Activate and then click OK in the Confirmation window. Oracle Identity Cloud Service displays a message that your Oracle Fusion Applications Cloud Service has been activated.
Since we have checked Enforce Grants as Authorization check box in the Authentication and Authorization section, So we need to add users to this App in IDCS, otherwise it will give below error if we try testing in Our Fusion (Here Dev3) for this IDP with a user which is not assigned to this app in IDCS.
When Enforce Grants as Authorization is enabled, Oracle Identity Cloud Service performs a validation on the user authorization status for the application. Only users assigned to this application in Oracle Identity Cloud Service can access the application.
Note:
If we do not check the checkbox for Enforce Grants as Authorization under
Authentication and Authorization in the Fusion app we created in IDCS then we do not need to assign users. We will not get below error while testing .
Also if we go to myconsole of PaaS IDCS where we had created the app, we will not be able to see this app if we do not assign user.
It will show like below(since we have only one App created in IDCS as of now and my user is not yet assigned to it):
So open the App which we created in IDCS "XXXX Dev3 FA".
Go to Users tab as Shown in Screenshot below:
Click on Assign and then seach for the User you want to assign. Select the user and click on OK
Now we can see this user in assigned users list.
Now if we go to IDCS myconsole with this user then we will be able to see the application there.
Testing and enabling SSO
On the Initiate Federation SSO page, select Partner (Our identity provider name) for Oracle Identity Cloud Service, and then click Start SSO . The Oracle Identity Cloud Service Sign In page opens.
Sign in to Oracle Identity Cloud Service using Oracle Identity Cloud Service’s user credential. After successful sign in, the Federation SSO Operation Result page opens with information on the SSO integration.
In the Federation SSO Operation Result page, verify SSO Primary Status Code has status SUCCESS, and then close the new browser or tab.
Refer the Below screenshot.
now the last step is enabling our identity provider(IDP).
For this, in the Single Sign-On Configuration: Diagnostic and Activation page, click Edit, click Enable Identity Provider, and then click Save and Close.
We can see that our IDP is enabled now:
-----------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------
Now let us test by unchecking Enforce Grants as Authorization under
Authentication and Authorization in the Fusion app we created in IDCS.
In this case we do not need user assignment to the app. So we will revoke the users.
Also our IDCS myconsole won't have any apps for this user :
Now repeat the Federation SSO test steps from Fusion Application for our IDP which we did earlier.
The Federation SSO Operation Result will be like below:
Since we have enabled SSO along with Chooser login page so we will get both the option(SSO +local username and password login) when we try logging in:
For the current setup our login page would look like below:
We will see Provisioning and Synchronization and integration with third party SSO in next posts.
No comments:
Post a Comment